produce quick'n'dirty Qubes-Whonix 12 developers template repository

[adrelanos]

@bnvk was interested to see a snapshot of Whonix development. But without jumping thought the hoops of setting up a development environment and building from source code.

@marmarek can you try to build Qubes-Whonix please?

It's quick'n'dirty, meaning:

• Build from https://github.com/Whonix/Whonix master branch, no tag
• Whonix packages don't have proper releases/tags either.
• Therefore not supposed to be run by users and not supposed to be updated
• Just supposed for having a quick look at it, some testing, feedback, bug reporting and wiping the image. No full support.

Ideally the process requires only minimal effort/time from @marmarek. And @bnvk could just add the developers template repository / signing key and install the template from there with four or five shell commands. Ideally this process could be repeated in future with minimal effort.

(Once done a proper testers image can be created that works as RC, i.e. a rpm package of an image that may be migrated to the stable repository.)

If this generates too much work, I could alternatively figure out how to host my own rpm repository.

Related questions:

• marmarek/qubes-template-whonix#3
• Do we want https://github.com/QubesOS/qubes-template-whonix? It does not exist at time of writing.
• Do you want to build from @adrelanos, @marmarek or @QubesOS?

[marmarek]

On Sun, Oct 11, 2015 at 05:09:03AM -0700, Patrick Schleizer wrote:

@bnvk was interested to see a snapshot of Whonix development. But without jumping thought the hoops of setting up a development environment and building from source code.

@marmarek can you try to build Qubes-Whonix please?

Sure. Just a workstation/gateway, or both?

It's quick'n'dirty, meaning:

• Build from https://github.com/Whonix/Whonix master branch, no tag
• Whonix packages don't have proper releases/tags either.

This means that I'd need to build with NO_CHECK=1. That's fine for test
image, but it really shouldn't be used for anything serious.
Since I'll be building in DispVM, the unverified content will land
inside of root.img. The rpm package itself will be trusted (in terms of not
compromising the whole Qubes host).

To make it obvious I'll suffix template names with "-testonly". Do you
anticipate any problem because of different template name?

• Therefore not supposed to be run by users and not supposed to be updated
• Just supposed for having a quick look at it, some testing, feedback, bug reporting and wiping the image. No full support.

Ideally the process requires only minimal effort/time from @marmarek. And @bnvk could just add the developers template repository / signing key and install the template from there with four or five shell commands. Ideally this process could be repeated in future with minimal effort.

Currently there is no template test/devel repository. But we can
repurpose "unstable" repo for this.

(Once done a proper testers image can be created that works as RC, i.e. a rpm package of an image that may be migrated to the stable repository.)

If this generates too much work, I could alternatively figure out how to host my own rpm repository.

Related questions:

• marmarek/qubes-template-whonix#3

I'll take care of it later...

• Do we want https://github.com/QubesOS/qubes-template-whonix? It does not exist at time of writing.

Not sure, maybe yes? Generally I think the "main" repository for this
component should be @Whonix. Having fork at @QubesOS is rather PR
question. @mfc any opinion ?

• Do you want to build from @adrelanos, @marmarek or @QubesOS?

I think the easiest would be @adrelanos. Especially for the test image.

Is the current state of adrelanos/qubes-template-whonix ready for build?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Sun, Oct 11, 2015 at 05:09:03AM -0700, Patrick Schleizer wrote:

@bnvk was interested to see a snapshot of Whonix development. But without jumping thought the hoops of setting up a development environment and building from source code.

@marmarek can you try to build Qubes-Whonix please?

Sure. Just a workstation/gateway, or both?

It's quick'n'dirty, meaning:

• Build from https://github.com/Whonix/Whonix master branch, no tag
• Whonix packages don't have proper releases/tags either.

This means that I'd need to build with NO_CHECK=1. That's fine for test
image, but it really shouldn't be used for anything serious.
Since I'll be building in DispVM, the unverified content will land
inside of root.img. The rpm package itself will be trusted (in terms of not
compromising the whole Qubes host).

To make it obvious I'll suffix template names with "-testonly". Do you
anticipate any problem because of different template name?

• Therefore not supposed to be run by users and not supposed to be updated
• Just supposed for having a quick look at it, some testing, feedback, bug reporting and wiping the image. No full support.

Ideally the process requires only minimal effort/time from @marmarek. And @bnvk could just add the developers template repository / signing key and install the template from there with four or five shell commands. Ideally this process could be repeated in future with minimal effort.

Currently there is no template test/devel repository. But we can
repurpose "unstable" repo for this.

(Once done a proper testers image can be created that works as RC, i.e. a rpm package of an image that may be migrated to the stable repository.)

If this generates too much work, I could alternatively figure out how to host my own rpm repository.

Related questions:

• marmarek/qubes-template-whonix#3

I'll take care of it later...

• Do we want https://github.com/QubesOS/qubes-template-whonix? It does not exist at time of writing.

Not sure, maybe yes? Generally I think the "main" repository for this
component should be @Whonix. Having fork at @QubesOS is rather PR
question. @mfc any opinion ?

• Do you want to build from @adrelanos, @marmarek or @QubesOS?

I think the easiest would be @adrelanos. Especially for the test image.

Is the current state of adrelanos/qubes-template-whonix ready for build?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

Just a workstation/gateway, or both?

Both.

• Build from https://github.com/Whonix/Whonix master branch, no tag
• Whonix packages don't have proper releases/tags either.
  This means that I'd need to build with NO_CHECK=1.

NO_CHECK is not required. They have tags, but no "clean" ones.

Do you anticipate any problem because of different template name?

No.

But we can repurpose "unstable" repo for this.

Ok.

Is the current state of adrelanos/qubes-template-whonix ready for build?

It was. But now since I switched to stable, RC3, I am getting the following when running make qubes-vm.

Updating goal targets....
Considering target file 'all'.
 File 'all' does not exist.
 Finished prerequisites of target file 'all'.
Must remake target 'all'.
Successfully remade target file 'all'.
  Successfully remade target file 'template-whonix-vm'.
  Considering target file 'Whonix-vm'.
   File 'Whonix-vm' does not exist.
    Pruning file 'check-depend'.
   Finished prerequisites of target file 'Whonix-vm'.
  Must remake target 'Whonix-vm'.
-> ERROR: Wrong branch (no branch) (expected master)
Makefile:193: recipe for target 'Whonix-vm' failed
make: *** [Whonix-vm] Error 1

Any idea how to fix? Maybe we'll find a few other issues when attempting to build. Specifically building in a DispVM is untested.

[adrelanos]

Just a workstation/gateway, or both?

Both.

• Build from https://github.com/Whonix/Whonix master branch, no tag
• Whonix packages don't have proper releases/tags either.
  This means that I'd need to build with NO_CHECK=1.

NO_CHECK is not required. They have tags, but no "clean" ones.

Do you anticipate any problem because of different template name?

No.

But we can repurpose "unstable" repo for this.

Ok.

Is the current state of adrelanos/qubes-template-whonix ready for build?

It was. But now since I switched to stable, RC3, I am getting the following when running make qubes-vm.

Updating goal targets....
Considering target file 'all'.
 File 'all' does not exist.
 Finished prerequisites of target file 'all'.
Must remake target 'all'.
Successfully remade target file 'all'.
  Successfully remade target file 'template-whonix-vm'.
  Considering target file 'Whonix-vm'.
   File 'Whonix-vm' does not exist.
    Pruning file 'check-depend'.
   Finished prerequisites of target file 'Whonix-vm'.
  Must remake target 'Whonix-vm'.
-> ERROR: Wrong branch (no branch) (expected master)
Makefile:193: recipe for target 'Whonix-vm' failed
make: *** [Whonix-vm] Error 1

Any idea how to fix? Maybe we'll find a few other issues when attempting to build. Specifically building in a DispVM is untested.

[marmarek]

On Sun, Oct 11, 2015 at 02:24:12PM -0700, Patrick Schleizer wrote:

NO_CHECK is not required. They have tags, but no "clean" ones.

Ok, good.

BTW any special reason/meaning for such long tag names? I guess it comes
from git describe (which in case of no tag, prints last tag name +
last commit id), right? No problem, just curious.

But now since I switched to stable, RC3, I am getting the following when running make qubes-vm.

Updating goal targets....
Considering target file 'all'.
 File 'all' does not exist.
 Finished prerequisites of target file 'all'.
Must remake target 'all'.
Successfully remade target file 'all'.
  Successfully remade target file 'template-whonix-vm'.
  Considering target file 'Whonix-vm'.
   File 'Whonix-vm' does not exist.
    Pruning file 'check-depend'.
   Finished prerequisites of target file 'Whonix-vm'.
  Must remake target 'Whonix-vm'.
-> ERROR: Wrong branch (no branch) (expected master)
Makefile:193: recipe for target 'Whonix-vm' failed
make: *** [Whonix-vm] Error 1

Any idea how to fix? Maybe we'll find a few other issues when attempting to build. Specifically building in a DispVM is untested.

This is an optional safeguard for release builds - to not build from the
wrong branch by mistake. Simply remove "CHECK_BRANCH" setting from
builder.conf.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Sun, Oct 11, 2015 at 02:24:12PM -0700, Patrick Schleizer wrote:

NO_CHECK is not required. They have tags, but no "clean" ones.

Ok, good.

BTW any special reason/meaning for such long tag names? I guess it comes
from git describe (which in case of no tag, prints last tag name +
last commit id), right? No problem, just curious.

But now since I switched to stable, RC3, I am getting the following when running make qubes-vm.

Updating goal targets....
Considering target file 'all'.
 File 'all' does not exist.
 Finished prerequisites of target file 'all'.
Must remake target 'all'.
Successfully remade target file 'all'.
  Successfully remade target file 'template-whonix-vm'.
  Considering target file 'Whonix-vm'.
   File 'Whonix-vm' does not exist.
    Pruning file 'check-depend'.
   Finished prerequisites of target file 'Whonix-vm'.
  Must remake target 'Whonix-vm'.
-> ERROR: Wrong branch (no branch) (expected master)
Makefile:193: recipe for target 'Whonix-vm' failed
make: *** [Whonix-vm] Error 1

Any idea how to fix? Maybe we'll find a few other issues when attempting to build. Specifically building in a DispVM is untested.

This is an optional safeguard for release builds - to not build from the
wrong branch by mistake. Simply remove "CHECK_BRANCH" setting from
builder.conf.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

BTW any special reason/meaning for such long tag names? I guess it comes from git describe (which in case of no tag, prints last tag name + last commit id), right? No problem, just curious.

Yes. Just git describe. I added a small shortcut to quickly create a tag based on git describe + git push it. It turned out Qubes Builder is capable to work with this and was mistaken you are sometimes doing the same. If there is a more canonical way for the "quick'n'dirty tags", I am happy to adapt it since I don't specifically like those long git tag names.

This is an optional safeguard for release builds - to not build from the wrong branch by mistake. Simply remove "CHECK_BRANCH" setting from builder.conf.

Good to know. But it was a false alarm. (My mistake: qubes-template-whonix was fetched from your repo, not mine, which has this fixed.)

[adrelanos]

BTW any special reason/meaning for such long tag names? I guess it comes from git describe (which in case of no tag, prints last tag name + last commit id), right? No problem, just curious.

Yes. Just git describe. I added a small shortcut to quickly create a tag based on git describe + git push it. It turned out Qubes Builder is capable to work with this and was mistaken you are sometimes doing the same. If there is a more canonical way for the "quick'n'dirty tags", I am happy to adapt it since I don't specifically like those long git tag names.

This is an optional safeguard for release builds - to not build from the wrong branch by mistake. Simply remove "CHECK_BRANCH" setting from builder.conf.

Good to know. But it was a false alarm. (My mistake: qubes-template-whonix was fetched from your repo, not mine, which has this fixed.)

[marmarek]

On Sun, Oct 11, 2015 at 02:54:58PM -0700, Patrick Schleizer wrote:

Yes. Just git describe. I added a small shortcut to quickly create a tag based on git describe + git push it. It turned out Qubes Builder is capable to work with this and was mistaken you are sometimes doing the same. If there is a more canonical way for the "quick'n'dirty tags", I am happy to adapt it since I don't specifically like those long git tag names.

I have this git alias:
stag = "!id=git show --pretty=format:%H|head -1; git tag -s -m "Tag for commit $id" mm_${id:0:8}"

Adjust tag prefix :)

Good to know. But it was a false alarm. (My mistake: qubes-template-whonix was fetched from your repo, not mine, which has this fixed.)

Ok, so starting the build.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Sun, Oct 11, 2015 at 02:54:58PM -0700, Patrick Schleizer wrote:

Yes. Just git describe. I added a small shortcut to quickly create a tag based on git describe + git push it. It turned out Qubes Builder is capable to work with this and was mistaken you are sometimes doing the same. If there is a more canonical way for the "quick'n'dirty tags", I am happy to adapt it since I don't specifically like those long git tag names.

I have this git alias:
stag = "!id=git show --pretty=format:%H|head -1; git tag -s -m "Tag for commit $id" mm_${id:0:8}"

Adjust tag prefix :)

Good to know. But it was a false alarm. (My mistake: qubes-template-whonix was fetched from your repo, not mine, which has this fixed.)

Ok, so starting the build.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

Using the following config.

cp example-configs/qubes-os-r3.0.conf ./builder.conf
+
override.conf:

VERBOSE = 3
DEBUG = 1

REPO_PROXY = http://127.0.0.1:3142
CHECK_BRANCH = 1

BRANCH_template_whonix = master
GIT_URL_template_whonix = https://github.com/adrelanos/qubes-template-whonix.git

(running apt-cacher-ng) (+ few more comments but those are just for me, nevermind those.)

[adrelanos]

Using the following config.

cp example-configs/qubes-os-r3.0.conf ./builder.conf
+
override.conf:

VERBOSE = 3
DEBUG = 1

REPO_PROXY = http://127.0.0.1:3142
CHECK_BRANCH = 1

BRANCH_template_whonix = master
GIT_URL_template_whonix = https://github.com/adrelanos/qubes-template-whonix.git

(running apt-cacher-ng) (+ few more comments but those are just for me, nevermind those.)

[marmarek]

Uploading packages, ETA 30min. To install them, execute in dom0:

sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-template-whonix-gw-testonly qubes-template-whonix-ws-testonly

Disclaimer: I haven't tried to install/launch them

[marmarek]

Uploading packages, ETA 30min. To install them, execute in dom0:

sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-template-whonix-gw-testonly qubes-template-whonix-ws-testonly

Disclaimer: I haven't tried to install/launch them

[adrelanos]

Where do you configure the package names or do you manually rename those?

[adrelanos]

Where do you configure the package names or do you manually rename those?

[adrelanos]

Could you share the build log please?

[adrelanos]

Could you share the build log please?

[adrelanos]

Images are ready for testing. (@bnvk)

[adrelanos]

Images are ready for testing. (@bnvk)

[bnvk]

@adrelanos @marmarek awesome. Seems to be installing just fine. Huge thanks to both of you, will try it out now :)

[bnvk]

@adrelanos @marmarek awesome. Seems to be installing just fine. Huge thanks to both of you, will try it out now :)

[marmarek]

Where do you configure the package names or do you manually rename those?

Just modified TEMPLATE_LABEL in builder.conf
The lines are:

TEMPLATE_LABEL += jessie+whonix-gateway+minimal+no-recommends:whonix-gw-testonly
TEMPLATE_LABEL += jessie+whonix-workstation+minimal+no-recommends:whonix-ws-testonly

Could you share the build log please?

Sure:
gw: https://gist.github.com/61091a8152bec37ba9c8
ws: https://gist.github.com/c15b5e64cfaaee4f3851

[marmarek]

Where do you configure the package names or do you manually rename those?

Just modified TEMPLATE_LABEL in builder.conf
The lines are:

TEMPLATE_LABEL += jessie+whonix-gateway+minimal+no-recommends:whonix-gw-testonly
TEMPLATE_LABEL += jessie+whonix-workstation+minimal+no-recommends:whonix-ws-testonly

Could you share the build log please?

Sure:
gw: https://gist.github.com/61091a8152bec37ba9c8
ws: https://gist.github.com/c15b5e64cfaaee4f3851

[adrelanos]

Thanks!

Hm. It's alright for the test-only image, but not very verbose. No output of Whonix's build script. All packages installed as expected, otherwise whonixcheck would notice.

For the RC build that we can do soon, could you enable debug and verbose please?

---

Why was @nrgaway's key imported during the build? Should not be required?

[adrelanos]

Thanks!

Hm. It's alright for the test-only image, but not very verbose. No output of Whonix's build script. All packages installed as expected, otherwise whonixcheck would notice.

For the RC build that we can do soon, could you enable debug and verbose please?

---

Why was @nrgaway's key imported during the build? Should not be required?

[marmarek]

On Fri, Oct 16, 2015 at 02:27:32PM -0700, Patrick Schleizer wrote:

Thanks!

Hm. It's alright for the test-only image, but not very verbose. No output of Whonix's build script. All packages installed as expected, otherwise whonixcheck would notice.

For the RC build that we can do soon, could you enable debug and verbose please?

Sure.

---

Why was @nrgaway's key imported during the build? Should not be required?

Some of previous builds were based on his repository. And in fact he was
a maintainer of whonix-qubes package. Should his key be removed there?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Fri, Oct 16, 2015 at 02:27:32PM -0700, Patrick Schleizer wrote:

Thanks!

Hm. It's alright for the test-only image, but not very verbose. No output of Whonix's build script. All packages installed as expected, otherwise whonixcheck would notice.

For the RC build that we can do soon, could you enable debug and verbose please?

Sure.

---

Why was @nrgaway's key imported during the build? Should not be required?

Some of previous builds were based on his repository. And in fact he was
a maintainer of whonix-qubes package. Should his key be removed there?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

Since @nrgaway is no longer working on it and I am maintaining it now, yes.

[adrelanos]

Since @nrgaway is no longer working on it and I am maintaining it now, yes.

[adrelanos]

Some of previous builds were based on his repository. And in fact he was a maintainer of whonix-qubes package. Should his key be removed there?

Since @nrgaway is no longer working on it and I am maintaining it now, yes.

Was this done? I would send a PR, but I don't know where the code is located that configures this.

[adrelanos]

Some of previous builds were based on his repository. And in fact he was a maintainer of whonix-qubes package. Should his key be removed there?

Since @nrgaway is no longer working on it and I am maintaining it now, yes.

Was this done? I would send a PR, but I don't know where the code is located that configures this.